Root Causes 293: What Is Certbot?
Certbot is an important part of the ACME standard. This open source tool makes it easier for many IT administrators to use ACME to automate provisioning and installation of SSL / TLS certificates.
- Original Broadcast Date: April 10, 2023
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
Today’s topic is what is Certbot?
-
Jason Soroko
Certbot is one of the many ACME clients.
-
Tim Callan
We’ve talked about ACME in the past, but Certbot is kind of a special animal, isn’t it?
-
Jason Soroko
Well, it’s very, very common. In fact, there’s other common ones as well but we are calling out Certbot just because the community that’s around it seems to be very active and not just in bug testing and all the good things that have to happen in open-source software but also in that whenever the ACME standards make a change you could pretty much count on it being in Certbot pretty darn quickly. And for those of you who are in the Linux world, installing it, using it, it’s - - I’ve used it and I’ll tell you, it’s dead solid. It just works. The commands that operate it are, you know, once you get the hang of it, it’s well thought out. So, I really congratulate the folks over at Certbot, the people who are behind it, who are behind that community. They’ve done a really great job.
And for those of you who want to experiment with installing a certificate onto a website, I’ll tell you something. I went through an experience recently with colleagues and even some friends and said, hey, let’s have some fun and we’re gonna actually go through the process of doing this. You know, installing certificates, installing SSL, and getting it done because I think, Tim, it’s quite daunting to the average non-technical person. If you’re not a died in wool Linux administrator, even if you are, there’s some things to know. And if you come more from the business world and you deal with risk and you deal with, hey, I want to make sure I have uptime. My websites are going to have a valid certificate. Then, I think learning something like Certbot is great and one of the great things about it, Tim, is there’s a ton of documentation out there and, again, congratulations to the community for - - you can do an internet search on Certbot and get a heck of a lot of support in using it. And it’s worth learning it. I think even for those of you who are not super technical, there’s a lot to get out of it and people who have – the friends and colleagues who I forced to do it – I tell you; they came away with a better appreciation for what it takes to actually install a certificate onto a website.
-
Tim Callan
I talked to a couple of those people about that experience and one of the things that I heard was the difference between doing it with ACME and without is pretty dramatic.
-
Jason Soroko
It is pretty dramatic, and the beautiful thing is the best practices that are involved. You can imagine it is a sensitive process. Thankfully, because of the CSR process at the beginning of when you fire up Certbot, you know, you are generating the certificate on the server and the private key that you are generating is never leaving the server, and so that CSR process is still the good old thing you’ve done in the past when you had to do it manually, but there it is. That CSR process is now done for you. You are not given this strange screen of please enter your CSR. Well, what the heck is that and how do I generate it? Oh, and by the way, I have no idea how to use OpenSSL because it’s complicated. Right? Typically, the initial response to anybody who is having to do this manually. And then all of the sudden, the connection back to the Certificate Authority that you are working with is secure and all the necessary things such as the DCV validation, the domain control validation that’s happening, the interrupt for that is clean and in newer versions of the ACME standard, we even have the ability to write EV certs.
And now we have Wildcard and we have all kinds of options we have now and Certbot supports all of that, which is terrific. And so therefore, all the way to the point where Certbot does a nice clean job – again, all part of the ACME standard, it’s wrapped really nicely. Standards and implementations are very different things and Certbot is a nice implementation of the ACME standard all the way to point where I’ve really never had a problem and those of you who do this a lot more than I do, maybe you have, but I have never had a problem with Certbot at all in making a modification to my Nginx server or my Apache server – whatever my web server happens to be. The necessary modifications to the configurations that have to happen usually work out really well and next thing you know, I walk away and I’ve got a website that has a certificate, Tim, and what a great feeling that is to do such a complicated process in just a few steps.
-
Tim Callan
So you mentioned a couple things about the open-source community. One is I believe I’m correct in understanding that Certbot originally was a creation of Let’s Encrypt which I think threw it into open-source, which a lot of ways makes me understand why it is so accomplished and so supported. It’s official or official-ish, as much as anything in the open-source world is, and so that helps a lot and it helps get support behind it. We ourselves have contributed to Certbot. Sectigo has. And a lot of other people have, too. It is great and having that kind of standard that so many people can line up behind is super helpful because you make sure that your ACME support is really clean and perfect and you just get so much value for that effort. It’s just a very leveraged activity and so these are all the reasons why the ACME standard is really taking off and doing so well.
-
Jason Soroko
That’s right. You know, if we are talking about Certbot, I think we do need to, though, talk about the built-in ACME standards that are within the Apache server.
And those are really easy to use as well. There were some transition periods where the ACME standard had changed and Apache server themselves, that community, hadn’t quite updated their inbuilt open-source implementation of the ACME protocol and so, you know, it just might take a little bit of time but I just happened to experience that hiccup during that period of time, and it was a little bit frustrating because there were some things I wanted to do, couldn’t do it and had to wait. But eventually the community came around and put it in.
-
Tim Callan
And that’s not gonna be done. I mean ACME is great. There are things that exist in the certificate lifecycle that ACME doesn’t support yet and I’m sure there’s a desire to have those, and I’m sure over time those will make their way in. And when they do, supporting software like Certbot or Apache is going to have to get updated.
-
Jason Soroko
And it will. And it will. It was always just a matter of time and when you go onto the boards and the forums where people are discussing this, you can tell everybody is on it.
It’s a big deal and it’s great because it’s so fundamental. It’s not what I would call certificate lifecycle management but it certainly is a first step in a best practices automation and provisioning of certificates and hallelujah that we’ve got this new way of doing things. Even if you are a hardened Linux administrator, you are gonna have a hard time convincing me that it doesn’t save you a lot of time and saving a lot of guesswork in, hey, did I do that right? Did I check off all the boxes? Well, really good implementations like Certbot of the ACME standard will get you there.
-
Tim Callan
And that point about installation I think is very important, Jay, because if you think in the world of automation, absent installation there is still a significant intervention that is required by the Sys Admin, right? So, I could have something that it is automated, it’s monitoring them, it’s knowing that they’re expiring; it’s alerting me; it could even go provisionb a new cert. It could deliver that cert to me. If it could just install it, then I could really walk away. And if I have to then take these certs and install them, that once again becomes a significant source of human error. It’s bogging your humans down and they could be doing better things. It’s taking a lot of time. It’s introducing the possibilities for errors. It’s repetitive and mind numbing and there’s all of these issues that come up and with installation, with reliable automatic installation, now truly short-lived certs become a real thing.
-
Jason Soroko
That’s right.
-
Tim Callan
I could have 90-day certs or 10-day certs or 1-day certs.
-
Jason Soroko
And we are probably gonna get to shorter and shorter lifespans. That term of 10 days has come up now.
-
Tim Callan
Exactly. We just talked about that in a recent episode or in a couple recent episodes where 10 days is coming up as an important new duration for a cert and you do not want to be installing new certs every 10 days even if they are being automatically provisioned for you. Even if they are showing up in your mailbox. That element of it is very important and that’s obviously what ACME brings to the table.
-
Jason Soroko
It certainly does, and this podcast today was really to talk about one of the most popular of the implementations for the ACME standard, and we are glad it’s out there. We are glad for that community and for everybody else who works on all the other ACME implementations as well because there’s a lot of them out there for various platforms.
You know, for those of you who are super technical and you are just listening in, you know, we are not talking about some kind of very friendly little Windows application or mobile application that you fire up and it’s got a little GUI and you click a few buttons and you get your cert. This is still some work in the Linux world, at the Linux command line, but certainly it’s an application that runs at the command line that does the best practices of implementing the ACME standard and getting that cert installed correctly, safely, securely and even in a friendly way that does your complex, sometimes complex configuration of that web server – of your web server configuration. Which to me, my goodness, the ease and ability to fat finger that, Tim, and to get it wrong and to take your site down.
-
Tim Callan
Yes. There are things that software is good at and there are things that software isn’t good at, and this is just such an example of the kind of thing that software is excellent at. Let’s let it do this work for us.
-
Jason Soroko
Some of you might think, you know, is it a script? Well, yeah, there’s obviously code going on behind the executable of this agent but for those of you who haven’t played with it, it’s not the equivalent of an Ansible script or something like that. It is something that does execute. So, you know, it’s packaged nicely. There are other implementations that are much more flexible for really crazy strange environments that you might want to put certs as well. But this is the nice clean one for most of the Linux distributions that are out there.